With consumer trends pointing toward “buying local” and supporting their communities, small businesses have a newfound opportunity to thrive in today’s economy. However, that means they are called upon to be as accessible and function as smoothly as larger companies.
Dozens of products allow small firms to host their own websites, do their own accounting and market themselves.
This all means that small businesses collect customer data and must protect it the same way any larger business should.
Unfortunately, smaller businesses frequently believe they aren’t at risk for a cyber attack. They may also find that their longtime insurance agent or broker doesn’t fully comprehend the exposure or the new insurance market that has cropped up to combat cyber risk.
“The naïve person is the worst and the hardest to overcome, even if you show them statistics,” said Joseph Schneider, professional liability manager with Jimcor Agencies in Pennsylvania. Some small business owners feel they’re lucky, or aren’t going to be a target of any wrongdoing.
“Small businesses and consumers are most at risk from losing data, files or memories,” security firm Symantec said in its most recent report on Internet threats. “Prevention and backup are critical to protecting users from this type of attack.”
Scammers targeted small businesses for 30 percent of all “spear phishing” email campaigns in 2013, the report found. That statistic means that one in five small businesses received at least one such email last year.
“Any organization which has within its control or care Social Security numbers or credit card numbers is a candidate for this type of policy because they do have this type of exposure,” said William Austin of Austin and Stanovich, a risk management firm in Providence, R.I. “It may be more manageable the smaller you are, but it’s still an exposure.”
Do agents have answers?
As with so many areas of risk, small businesses rely on their insurance agent or broker to make them aware of the exposure, but sources said the broader independent agent community hasn’t progressed at the same pace of knowledge and understanding of the cyber insurance world.
According to David Beyer, managing member of Digital Risk Resources, a firm based in St. Johnsbury, Vt. that develops and distributes cyber insurance products aimed at small and middle-market businesses, it is taking longer than expected for cyber to become mainstream for Main Street.
“The knowledge base is a little bit all over the board,” Beyer told Advisen. “Bringing the product down to the small to middle market has been very challenging.”
And in many cases, it may be that the insurers agents represent are not offering the products or education they need. There are over 1,000 A-rated insurers in the country, Beyer pointed out, and fewer than 100 offer cyber insurance. Insurers aimed at the smaller commercial market tend to be more traditional and frequently promote the type of products their agents tell them are needed.
“You have a distribution system that tends to sell within its comfort zone,” said Beyer. “They don’t want to deal with hard questions they don’t understand because they don’t want to appear unknowledgeable. They’re just starting to get their arms around the whole concept [of cyber insurance].”
Industry professionals highlight the wide variations in policies, and the exclusions contained within, that can make it challenging to determine the actual quality of the coverage.
One of a very few independent agents who specialize in cyber risk insurance, Christine Marciano president of Cyber Risk Data Managers in New Jersey said that three years ago she saw a chance to find a niche in a new market. Marciano said she answers a lot of questions from other agents.
“The knowledge base is a little bit all over the board,” said Digital Risk Resources’ David Beyer. “Bringing the product down to the small to middle market has been very challenging.”
“It’s impossible to learn the product in an hour,” said Marciano. “It’s a whole new confusing product, even for an agent. They have to really review the information and roll up their sleeves and really understand it.”
Retail agents currently have a “meager understanding” of the product, Austin added.
Schneider, as a wholesale broker, said he rarely meets a retail agent that isn’t aware of the risk, but is still concerned by agents that aren’t taking the time to “recognize the area of opportunity and familiarize themselves.”
“Most of them are sophisticated and savvy to know there’s a problem,” he said. “We’re still at a point where many agents understand the problem, but not the options available.”
Education and E&O risk
Schneider said his firm offers educational seminars for retail agents and their clients. “For a retail agent, they sell what they’re most comfortable explaining,” he said. “The wholesale community has been one of the leaders in educating the retail agents. The most effective way to get the information in front of them is face-to-face.”
According to Beyer, the level of company support agents receive makes a difference in whether they’ll push a product that doesn’t seem to be a big winner, premium-wise. Insurers fall into two “buckets” – the ones who go out and “sell” their cyber coverage to agents and the ones who make it available for purchase, he said.
The first bucket of companies, “they really get behind the product,” said Beyer. “They push awareness and training out to their agency force and have a pretty aggressive marketing campaign. Then a lot of companies say ‘hey, we have cyber insurance coverage, come buy it!’ And then you hear crickets. Agents don’t feel the support and they’re not comfortable, so they’re not going to take the next step.”
There’s another aspect to the issue for agents and brokers. If they want to avoid potential errors and omissions claims from clients who should be warned about the risk of data loss they present need to be ready to explain the risk, if not ultimately sell the product.
“In the last year, one of the significant drivers to adoption has been the insurance agent E&O risk for failing to offer cyber insurance,” Beyer said. He explained that agents have been sued by clients who’ve had a data breach.
“If you’ve had your BOP with an agent for 10 years and they fail to offer cyber, the client will probably end up having coverage under their agent’s professional E&O policy,” Beyer said.
Pitching the product
Austin said he highlights the average cost of a data breach per compromised record. A recent analysis determined an average cost of $201 per leaked record. Austin advises clients to think of just how many records they maintain.
“That alone is enough to get somebody’s attention,” he said. Austin also warned small businesses to recognize the risk beyond digital data.
“People overlook the fact that there’s still a tremendous amount of data that’s still in paper form.” He said, adding that state and federal laws require protection of both forms of data. “That’s something that I think that a lot of potential insureds and the people trying to sell it, be it an agent or broker, don’t understand.”
“Many of them still don’t understand,” added Marciano. Small businesses need to comprehend the threat of data loss and the chance that a breach at one of their larger business partners could result in being drawn into a lawsuit.
“If a breach happens because of them, the larger organization might come back, looking to bring them into the lawsuit,” she said, citing the breach at retailer Target that was traced back to hacking at a smaller HVAC vendor.
Marciano also noted that the recent announcement that Microsoft would no longer update Windows XP as a new hazard for small businesses, leaving them open to new viruses and cybercrime.
“It just opens up the door for more risk,” she said, emphasizing that a data breach could push a small business into bankruptcy just trying to meet the costs of notification. “For a small business, when you think about that, they don’t have a lot of funding.”
Uphill sales battle
For Jimcor, Schneider said, the cyber market began to pick up in sales in 2011, after a data breach at Sony exposed PlayStation Network users’ data. News coverage of cyber risk has propelled businesses’ interest in it, he added.
“It’s an uphill battle, but we’ve been much more successful,” Schneider said.
Marciano said the options are “affordable, and have the coverages that a small business would need.” She said that while cyber endorsements to small business policies are one option, they typically offer low limits that probably won’t cover all the costs of a breach.
“The standalone offers more coverage, much broader coverage, and higher limits,” Marciano said. “There are definitely a lot more available, versus even just a year ago.”
Beyer outlined some of the primary benefits of a solid cyber insurance program, including credit and fraud monitoring, privacy awareness training, and third-party liability to meet the claims of the consumers affected by a breach.
“The company that is breached is likely to get sued,” he said. “It’s great to have legal defense on hand in case you get sued.”
Small businesses likely won’t have an experienced team in place for responding to a data breach, but they can plan ahead. The best coverage meets that need for them.
“The better insurance policies today offer more than insurance,” said Schneider. “It’s an approach that starts before the insurance comes into play.”
Insurers and agents can evaluate which clients would benefit from cyber coverage beginning with an insurance application. Schneider called cyber risk “one of the rare exposures that, through no fault of their own,” businesses can experience a major loss, “if they’re not thinking about it.”
“The better business owner is going to have security and protocols in place,” he said. “The insurance application has a specific question for data security. That’s the first indication that they have room for improvement and are probably a candidate to buy the insurance because they have a problem.”
Marciano observed plenty of “window shopping” going on in the market. Small and mid-sized organizations are interested, even if they aren’t all buying yet.
Beyer said smaller businesses tend to be curious, noting, “They are more price-sensitive than coverage savvy right now.”
Accountants, real estate agents, insurance agents, businesses that maintain personally identifiable information are more likely to buy cyber insurance. Those professionals understand that they have regulatory compliance responsibilities and may have more cash in their insurance budget. Beyer said insurance agents who buy the coverage to protect themselves have even better luck with their customers.
Agents have been able to help insurers market cyber insurance better by identifying the key decision makers for smaller businesses. It might be the owner or proprietor or an office manager being asked to “make an important decision without all of the information,” said Beyer. Insurers and agents can tailor their sales pitches better, even for professionals without an IT background.
“It’s going to be very confusing for a lot of people for at least the next five years,” Beyer predicted. “There are a whole bunch of things that need to come together.”